LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 09-26-2006, 06:14 PM   #1
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,610

Rep: Reputation: 45
add reload and restart options to the firewall script


hi

on my debian sarge stable I have the following firewall script:
Code:
#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.0.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X


case "$1" in
   start)
     echo -n "Starting firewall.." 

# Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP 
$IPTABLES -P OUTPUT ACCEPT



# SYN-flood atack protection
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Disable ping
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j DROP



# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# Allow IMAP
$IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Allow SSL encryption
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.2

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

#$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP



echo "..done"
     ;;
   stop)
     echo -n "Stopping firewall.."
     $IPTABLES -F
     $IPTABLES -P FORWARD DROP
     $IPTABLES -P OUTPUT ACCEPT
     $IPTABLES -P INPUT ACCEPT
     echo "done"
     ;;
   *)
     echo "Usage: $NAME {start|stop}"
     exit 1
     ;;
esac
howto add reload and restart options to this script ?
 
Old 09-26-2006, 06:47 PM   #2
chadl
Member
 
Registered: Sep 2005
Location: US
Distribution: Gentoo AMD64 Testing
Posts: 129

Rep: Reputation: 16
Here is an example of how I have done something like that in the past:
Code:
#!/bin/bash
case "$1" in
        start)
                echo "Starting"
                ;;
        stop)
                echo "Stoping"
                ;;
        restart)
                echo "Restarting"
                $0 stop
                $0 start
                ;;
        reload)
                echo "Reloading"
                $0 start
                ;;
        *)
                echo "Unknown command" 1>&2
                ;;
esac
This will just run the script with the stop command, and then the start command when you tell it to restart, and it will run the start command when you tell it to reload (you may have to edit the actions to what you want).

$0 stands for the name of the command, so it is just a quick way of calling itself. In this script, if you put it in a file and make it executable, when you run it with:
Code:
 ./test.sh restart
Then it will print out Restarting, then Stoping, then Starting. "reload" will just print out Reloading and then starting.

Last edited by chadl; 09-26-2006 at 06:55 PM.
 
Old 09-27-2006, 04:11 AM   #3
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,610

Original Poster
Rep: Reputation: 45
thanks a lot !

I changed and hope it's OK now:
Code:
#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.0.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X


case "$1" in
   start)
     echo -n "Starting firewall.."    


# Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP 
$IPTABLES -P OUTPUT ACCEPT



# SYN-flood atack protection
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Disable ping
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j DROP



# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# Allow IMAP
$IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Allow SSL encryption
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.2

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

#$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP



echo "..done"
                ;;

        stop)  

                echo -n "Stopping firewall.."
                $IPTABLES -F
                $IPTABLES -P FORWARD DROP
                $IPTABLES -P OUTPUT ACCEPT
                $IPTABLES -P INPUT ACCEPT
                echo "done"                        
                   
                ;;
        restart)
                echo -n "Restarting firewall.."
                $IPTABLES -F
                $IPTABLES -P FORWARD DROP
                $IPTABLES -P OUTPUT ACCEPT
                $IPTABLES -P INPUT ACCEPT                             
                $0 stop
                $0 start
                ;;
        reload)
                echo "Reloading"
                $0 start
                ;;
        *)
                echo "Unknown command" 1>&2
                ;;
esac
 
  


Reply

Tags
iptables, shell script


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Tomcat reload servlet is very slow, but reload jsp is fast and good? gsbarry Programming 2 04-28-2006 09:34 PM
How to reload /etc/my.cnf without restart mysqld? Chowroc Linux - Software 4 01-16-2006 11:52 AM
how to restart dns resolve or add route? exper Solaris / OpenSolaris 4 06-17-2005 07:59 PM
Add harddisk withour restart mates007 Linux - Hardware 5 03-22-2004 11:07 AM
Automating firewall reload on i/f (ppp) restart aelms Linux - Security 0 10-25-2003 02:14 PM


All times are GMT -5. The time now is 09:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration